Is the iPhone Vulnerable to SMS Spoofing and Hacks? Yes, but Don't Blame your Wireless Carrier

By Tony Rizzo August 24, 2012

On August 17 last week, a researcher on the pod2g blog posted a missive claim that the blog writer had discovered a vulnerability within the iPhone's SMS software that, if properly exploited, would allow a phisher or other hacker to be able to gain the trust of a mobile user, by allowing one to spoof who the sender of a text message might be, potentially leading up to further and potentially harmful mischief.

Following the disclosure, various wireless carriers found themselves being blamed for the security hole.

It turns out, however, that no matter how much you may want to blame your carrier for your iPhone's security vulnerability, the truth is there’s only Apple to blame.

The vulnerability itself is both technical in nature, but also exceptionally easy to understand. The SMS protocol provides for an optional "Reply-Address" field, which a knowledgeable person could use to indicate a message was coming from someplace other than where it originated. That is, it could show a message as coming from a "trusted" source (e.g. a phone number or name) although the message was coming from a malicious source.

Why provide such a capability in the first place?

“Historically, the ‘reply-address’ field was introduced to allow users to reply to texts which were ‘broadcast’ from information agencies or marketing firms, for example. These broadcast systems may not be capable of receiving messages, so this system allows for more interaction,” said Cathal McDaid, Security Consultant at AdaptiveMobile.

When not used in this manner, the SMS protocol is very explicit about how the “feature” needs to be treated. The issue that pod2g identified is that an iPhone will display the reply-address as the sending address within the iPhone SMS client, and does not show the real “originating-address.”

“We know conclusively that this is not a wireless carrier network problem because the 3GPP specification – which outlines how modern mobile phones and networks operate today – discusses the security implications of this field in all phones and give recommendations on how to avoid malicious use of this,” continued McDaid. “We have tested this issue on Android, Windows Mobile, BlackBerry and Symbian phones and most of them simply ignore the ‘reply-address’ field or display both the ‘real’ originating address and the reply address - which is what the specification recommendations."

"The use of the Reply-Address is exceptionally rare in mobile networks now," McDaid added. "It is not used due to the fact that it's not supported by many devices and the original scenario that it was addressing never really materialized – it is one of the many extended SMS function fields that didn't get much traction. The simple answer to the problem then is to simply ignore the reply-address field altogether."

And this is exactly what almost all other device manufacturers do. The iPhone, almost as if by magic, is the only smart mobile device that doesn't ignore it, and that simultaneously uses SMS software that does not comply with the SMS protocol security recommendations. Apple is well aware of the issue and the security weakness, but for reasons only Apple is aware of, the company has not provided any stated intention of fixing the rather simple to fix problem.

Apple has suggested using its iMessage service instead to circumvent the problem. That is an interesting approach for Apple to take, but even with Apple extremists there will be times when an iPhone user may want to communicate with someone other than another iPhone user – it's been known to happen.

Of course, Apple will play the contrarian any time it can, but even so, we can't quite figure out why it is the lone agent here supporting a defunct SMS feature that presents a security hole if improperly handled (and Apple handles it improperly).

For those of you waiting to upgrade to iOS6, it won't fix the problem. The beta 4 version of iOS 6 that will likely become the shipping version in a few weeks still has the problem. There is no Apple magic on this particular issue.

Edited by Braden Becker

TechZone360 Senior Editor

Related Articles

Bloomberg BETA: Models Are Key to Machine Intelligence

By: Paula Bernier    4/19/2018

James Cham, partner at seed fund Bloomberg BETA, was at Cisco Collaboration Summit today talking about the importance of models to the future of machi…

Read More

Get Smart About Influencer Attribution in a Blockchain World

By: Maurice Nagle    4/16/2018

The retail value chain is in for a blockchain-enabled overhaul, with smarter relationships, delivering enhanced transparency across an environment of …

Read More

Facebook Flip-Flopping on GDPR

By: Maurice Nagle    4/12/2018

With GDPR on the horizon, Zuckerberg in Congress testifying and Facebook users questioning loyalty, change is coming. What that change will look like,…

Read More

The Next Phase of Flash Storage and the Mid-Sized Business

By: Joanna Fanuko    4/11/2018

Organizations amass profuse amounts of data these days, ranging from website traffic metrics to online customer surveys. Collectively, AI, IoT and eve…

Read More

Satellite Imaging - Petabytes of Developer, Business Opportunities

By: Doug Mohney    4/11/2018

Hollywood has programmed society into believing satellite imaging as a magic, all-seeing tool, but the real trick is in analysis. Numerous firms are f…

Read More